Microsoft 365 application integrations

What are Application Integrations

Microsoft 365 is a suite of services used for file managementcommunications and collaborations. It includes services like Microsoft TeamsSharePoint OnlineExchange Onlineand Office 365 applications (such as WordPowerPointand Excel). In order to enhance usability and allow user customizationMicrosoft allows application integrations that allow users to connect third-party services to Microsoft 365 services. These application integrations will let you do things like utilize Grammarly's writing assistance in Microsoft Wordcreate Zoom meeting links in Outlookor search Wikipedia articles in Teams chats. 

How do Application Integrations work

These application integrations work by requesting various levels of access to user data via Microsoft Graph permissions. Some permissions are delegated and only allow the application to act in the scope of the signed-in user. Other permissions are application-level and act with admin-level access to all accounts in the organization. These different scopes allow some permissions to be safer (like requesting read access to the files owned by the signed-in user)while other applications use permissions that are riskier (like requesting read & write access to the files of all users in the organization).

When the user adds the application integrationthey will be asked to grant their consent so that the application can use various permissions.

Where do Application Integrations come from

Applications can be written by both independent developers and large companies. Regardless of who creates the applicationthey must register for a Microsoft Partner account to make a submission. The application is also testedundergoing the Microsoft app certification processbefore the submission is accepted. In additionthe application creator can apply for publisher verificationwhich means that the organization that publishes the app has undergone greater scrutiny by Microsoft. Verified publishers will have a blue check mark next to their names.

Installing Application Integrations

In order to better manage the risk involved with application integrationsour organization has created a policy to manage which applications can be used in a self-service fashion. We're restricting the self-service installation of applications to those that meet the following requirements: 

• The application is from a verified publisherdenoted by the blue check mark on the consent page or the certification badge in the Microsoft app store

• The application only uses permissions that we've determined to be low-impact

These restrictions are in place to limit the organization's risk. They ensure that the application is from a reputable developerhas undergone extensive testingand only uses low-impact permissions that have been scoped to the individual user. We're able to continue allowing self-service installation of application integrations by restricting this to applications of low-risk. 

What if I cannot install the Application Integration

You may find an application integration that you would like to installbut it isn't from a certified publisher or it requires riskier permissions. In these casesafter you accept the permissions request you will be notified that a global administrator needs to grant consent. In many casesthis means that the application was designed to work only if it has application-level permissions and expects to access data from all users accounts. In these situationswe'd urge you to reconsider and perhaps find an alternative. Allowing an application that can access more sensitive types of data or can access all accounts in the organization is much riskier than allowing an application that is limited to accessing a specific account or uses low-impact permissions. 

In the event that you want to use an application integration that exposes the campus to greater riskyou can request an application review. The review process involves both

• a vendor risk assessment by the GovernanceRiskand Compliance (GRC) teamand
• a permission and scope review by the Office 365 team

A GRC review is generally included when an application is purchased. In the event that this is a free applicationthen you can start the process by filling out their form. The review by the Office 365 team can be initiated by sending an email to [email protected] that includes the intended user groupthe intended use caseand the developer's documentation regarding installation and requested permissions.